An ethical hacker claims that a sex toy maker, popular among cam models, attempted to silence them over account takeover and email leaking vulnerabilities.
Lovense, a Singaporean sex toy maker, has only just fixed two bugs that allowed account takeovers and leaked emails.
The ethical hacker who prompted the fix, BobDaHacker, provided updates for Cybernews on the drama that seemed to have snowballed.
In an updated blog post, the hacker said that “both critical vulnerabilities were finally fixed on July 30th, 2025 – but only after public pressure forced its hand.”
Cybernews has reached out to Lovense for comment.
Lovense email vulnerability finally resolved following backlash
Despite being told by Lovense in June that it had a one-month fix in the pipeline for the email vulnerability, BobDaHacker tracks that the company took the 14-month route for “legacy support.”
“After we pushed back, it agreed to implement fixes faster and gave us deadlines (June 19th and July 3rd), but those came and went with nothing actually fixed,” BobDaHacker claims.
However, after a media frenzy and pressure from researchers, Lovense fixed the email-leaking vulnerability in just two days.
“It finally removed all email-based JIDs from their XMPP server. It already had internal user IDs (ofId) but were maintaining both systems. Now:”
“This now correctly shows that users log in with just the user ID (without the @im.lovense.com part), and then the roster entries have the full JID format,” BobDaHacker said.
Lovense account takeover vulnerability fixed after years
BobDaHacker reports that the account takeover vulnerability has been fully fixed after years of responsible disclosure from researchers.
When used, the endpoint (/api/connect/genGtoken) now returns a 404 error message, showing that it has been completely removed, the researcher claims.
The timeline presented by BobDaHacker is troubling, as it shows Lovense took almost two years to resolve the account takeover vulnerability.
Another researcher, Krissy, reported the issue in September 2023. After BobDaHacker’s research went viral, Lovense initiated a partial fix in June 2025.
Then, finally, on July 30th, 2025, the sex toy maker fully fixed the vulnerability, and the endpoint was removed completely.
Hacker alleges attempt at silencing
The sex toy maker allegedly tried to silence BobDaHacker and get them banned from the platform HackerOne, the hacker claims.
“Lovense is now trying to get me banned from HackerOne for unauthorized disclosure,” BobDaHacker said via their blog post.
But the hacker came with receipts. So, BobDaHacker published email correspondence between themself and Lovense via their blog.
The researcher said they intended to publish their findings due to the “severity of these issues” on May 30th, 2025.
Lovenese responded on June 4th, 2025, asking what channel the hacker intended to publish their findings on.
“As previously planned, we will proceed with publishing our findings in one month, sometime in July, on our security research blog," BobDaHacker told Lovense via email ten days later.
After three days, Lovense replied, stating that the company respects their decision to publish their findings and appreciates their “commitment to transparency.”
The sex toy maker asked the researcher if it could see the blog post before it went live to “ensure (its) latest updates and response are accurately reflected.”
After all the pleasantries, Lovense supposedly went to HackerOne claiming that BobDaHacker’s research "violates HackerOne's Code of Conduct."
The researcher claims that Lovense demanded they take down “all public mentions within 48 hours or face a permanent ban.”
What’s Lovense’s take on all of this?
Cybernews reached out to Lovense regarding the vulnerability drama.
Lovense’s CEO, Dan Liu, said in a statement provided to Cybernews that the sex toy maker is committed to “maintaining the trust of our customers and partners,” as its “highest priority.”
Liu clarifies that the researcher found these vulnerabilities in controlled conditions and mentions the bug bounty program, Hacker One, which the company joined in 2018.
The company states that all vulnerabilities have been addressed, and there is “no evidence suggesting that any user data, including email addresses or account information, has been
compromised or misused.”
Lovense’s CEO says that “updates have been deployed to all users” and “the email address exposure vulnerability has been fully resolved.”
“Users must upgrade to the latest version to properly access all functions that may be affected by this vulnerability. While those who do not upgrade will not face security risks, certain features will become unavailable,” Liu said.
The second vulnerability involving account takeover has also been resolved following verification by the Lovense team.
“In our commitment to privacy and security, we submitted these fixes to the bug bounty platform for further independent testing to ensure the robustness of our solutions. This is standard practice to safeguard user privacy and security,” Liu said in a statement provided to Cybernews.
Lovense describes itself as a “complex machine, where each component must function harmoniously for overall safety and reliability.”
“We adopted a dual-track strategy of emergency response and long-term optimization. The originally scheduled long-term 14-month system reconstruction plan was completed significantly ahead of schedule due to the team's dedicated efforts and increased resource allocation,” the statement reads.
Lovense has also said that due to the “erroneous reports online,” the sex toy maker’s legal team is “investigating the possibility of legal action.”
Your email address will not be published. Required fields are markedmarked